Have looked through previous posts & there's a couple of refs that might be helpful when I get to the next level of knowledge but nothing that I can see give me initial insight.

So, I'm trying to get NTP working for a couple of NAS and servers on my network. Internet connectivity provided by a 2860 (at f/w 3.8.6_BT if that makes any difference)

The 2860 happily configured to use one of the uk.pool.ntp.org servers and updates time automatically.

All internal requests to the same server (tried a couple different as well) fail, so presumably a firewall block.

Before I go down a rabbit hole to solve this with an internal time server...

a) Can the 2860 act as an NTP time server (given it's already securely accessing the service and updating)?
b) If not then all advice on the web seems to point to having to open up UDP port 123 inbound, which is not advised (so presumably it's fully open and not restricted in any way). Is there a secure way of allowing NTP usage either by multiple internal clients or by a single client (internal NTP server) (or perhaps defining a "DMZ host" which becomes an NTP server - but that just passes on the security burden...) Please bear in mind that while I can configure basic firewalls with nice simple interfaces I'm no expert and I've not done anything with the Draytek and comments seem to indicate it's not intuitive with it's rules (filters).
That said happy to have a go, it's all good learning.

Thanks.

This appears to work OK for me, without opening ports or setting firewall rules :-

Code:

C:\>w32tm /monitor /computers:uk.pool.ntp.org uk.pool.ntp.org[139.162.250.196:123]: ICMP: 20ms delay NTP: +0.0317723s offset from local clock RefID: gatekeeper.dhco.org [89.101.218.6] Stratum: 2

I tried it from a variety of (Windows) PCs and also from my phone (using the first app I found in the app. store).

I notice that the NTP servers that make up this 'pool' all seem to be configured differently - so maybe you keep making contact with a rogue one?

You could try your ISP's NTP server - or failing that (as a test only), ntp2a.mcc.ac.uk. (The latter also used to host a web site devoted to "Father Ted" , which, for some bizarre reason, has made it stick in my mind )

rappel wrote:
a) Can the 2860 act as an NTP time server (given it's already securely accessing the service and updating)?

Unfortunately, no.

OK, that's interesting, in the sense that when I borrowed the wife's Windows PC and tried it from the command line it worked as yours did. I presume that response means that it has returned the time.
On rechecking, one of the devices had it's default gateway set incorrectly, correcting that allowed it to update correctly, I guess therefore there are other issues with the others.

... so does NTP actually need open ports then or is the 2860 friendly to NTP in some way with default config?

rappel wrote: I presume that response means that it has returned the time.

Yes.

and he wrote: ... so does NTP actually need open ports then or is the 2860 friendly to NTP in some way with default config?

As far as I'm aware, the presence of the "NAT Session" is sufficient to allow the response back in.

OK.

Many thanks for the assist.

Now I just need to work out what undoubtedly I got wrong in the first place.